Internet commerce, or e-commerce as it is otherwise known, relates to the buying and selling of products and services between consumers and merchants over the Internet or other like transactional exchanges of information. The convenience of shopping over the Internet has sparked considerable interest in e-commerce on behalf of both consumers and merchants. Internet sales, or like transactions, have been typically carried out using standard credit cards such as Visa®, MasterCard®, Discover®, American Express®, or the like, or standard debit cards, i.e., check cards or automated teller machine (ATM) cards which directly access funds from an associated deposit account or other bank account. Other payment methods have also been developed for making payments in connection with e-commerce transactions. For example, these include PayPal®, Bill Me Later®, Secure eBill, Western Union, and the like.
While widely used for more traditional face-to-face transactions, use of standard cards in connection with e-commerce presents certain difficulties, including difficulties concerning authentication or positive identification of the cardholder. For example, maintaining consumer confidence in security has become difficult with increased reports of fraud. The resulting apprehension is also fueled by consumer uncertainty of the reputation or integrity of a merchant with whom the consumer is dealing. Questionable security of the consumer's card information or other personal information typically submitted along with a traditional e-commerce transaction (e.g., address, card number, phone number, etc.) serves to increase apprehension even more. Additionally, cardholders, merchants and financial institutions are all concerned about safeguarding against fraudulent or otherwise unauthorized transactions. Similarly, other payments methods are concerned with security.
Accordingly, various payment networks have implemented initiatives or programs aimed at safeguarding against fraud. For example, Visa® and MasterCard® both support authentication initiatives whereby a cardholder is authenticated by the bank or financial institution issuing the card, i.e., the issuing bank. FIG. 1, illustrates one such exemplary authentication initiative. As shown in this example, a consumer/cardholder 10, e.g., employing a suitable web browser or the like, is making an on-line purchase, e.g., over the Internet, from a merchant 20. As is known in the art, the illustrated back-end payment processing chain includes an optional payment gateway 30, the merchant's financial institution or acquiring bank 32, the credit card network 34 and the issuing bank 36.
At a point of checkout, the consumer 10 selects an appropriate payment method based on the initiatives supported by the merchant 20. At this point, the consumer fills out the on-line checkout form including a payment option, card number, expiration date, etc. Based on the payment information, the merchant 20, via a plug-in 22 installed on their server, passes a verify enrollment request (VEReq) message to a directory 38 on a server, e.g., suitably operated by the credit card network 34. The directory 38 includes a database associating participating merchants with their acquiring banks and a database associating card number ranges with locations or addresses, e.g., universal resource locator (URL) addresses, of issuing banks' authentication servers, e.g., the authentication server 40 for issuing bank 36. The VEReq message is a request to verify the enrollment of the card in the authentication program, and it contains the card number provided by the consumer 10.
Based on the card number range stored within the directory, the VEReq message will be sent to the appropriate URL address for the server 40 which returns to the merchant 20 via the directory 38 a response thereto, i.e., a verify enrollment response (VERes). That is to say, the server 40 will verify the enrollment status of the card and respond with a VERes message to the directory 38 which is then passed back to the merchant's plug-in component 22.
Based on the VERes message (i.e., if positive), the merchant plug-in component 22 will redirect the cardholder's browser to the server 40 by passing it a payer authentication request (PAReq) message generated by the merchant's plug-in component 22. The consumer 10 then completes an authentication process directly with the server 40. The authentication server 40 authenticates the consumer/cardholder 10 and responds to the merchant 20 with a payer authentication response (PARes) message including a digital signature. The merchant's plug-in component 22 validates the digital signature of the PARes and extracts the authentication status and other specified data that is to be used by the merchant 20 during the payment authorization process carried out via the back-end payment processing chain. For example, the merchant 20 sends an authorization/sale transaction to their payment gateway 30 along with the data elements received from the PARes. The payment gateway 30 routes the data to the acquiring bank 32 based on the acquirer's specification. The acquiring bank 32 then sends the data via the appropriate credit card network 34 to the issuing bank 36 for settlement.
When using authentication initiatives such as the aforementioned example, the credit card network often ensures participating merchants that fraudulent transactions and other charge backs, as they are known in the art, will not be the merchants' responsibility provided the specified protocols have been followed. However, there are considerable burdens placed upon the merchants to participate in the authentication initiatives. For example, typical installation of the merchant plug-in can be overly burdensome using up resources, i.e., computing power, memory, data storage capacity, etc., the merchant would otherwise prefer to devote to other tasks. Often, the plug-in component can be extremely large and/or cumbersome to implement on the merchant's server. Moreover, for a merchant that participates in a plurality of such authentication programs for multiple credit card networks, the burden can be that much more, i.e., requiring a separate plug-in component for each individual authentication initiative they wish to support, especially considering that each credit card network may have its own particular protocols, data fields that are employed in the respective messages, specific data format requirements, etc.
Further, the merchants are responsible for remaining current with initiative protocols that can change periodically. That is to say, as the authentication protocols are updated and/or changed by the respective credit card networks, the merchants are likewise responsible for updating and/or changing their plug-in components to reflect those update and/or changes being mandated by the credit card networks.
The present inventive subject matter contemplates a new and improved system and/or method which overcomes the above-referenced problems and others.